CVE-2025-40118

Vulnerability

Overview

The vulnerability resides in the Linux kernel's pm8001 SCSI driver. When a device is behind an expander (e.g, the attached_phy field contains the remote phy ID on the expander, not the local phy ID on the host bus adapter (HBA). The pm8001_ha->phy array only holds the HBA's phys (e.g., 8 entries). Using attached_phy to index this array when the device is behind an expander can cause an out-of-bounds access, as reported by UBSAN with an index of 28 on a system where the HBA has only 8 phys [1].

Exploitation

Conditions

The bug is triggered during module removal (rmmod) when the driver attempts to clear phy_attached for devices connected through an expander. No special permissions are required beyond the ability to load/unload the driver. The attack surface is local; a user with access to the system could cause the kernel to perform an invalid memory access, potentially leading to a crash or denial of service.

Impact

An attacker who can trigger rmmod of the pm8001 driver when an expander is connected can cause a kernel crash due to the out-of-bounds array access. This results in a denial of service. The issue does not appear to allow privilege escalation or arbitrary code execution based on the description.

Mitigation

The fix ensures that the phy_attached field is only cleared for directly attached devices, not for those behind an expander, thus avoiding the out-of-bounds access on rmmod. The patch has been applied to the stable kernel tree [2] and is included in subsequent stable releases. Users should update their systems to the latest stable kernel version to mitigate this vulnerability.